Big Phish, Little Phish

I’m at home for the tail end of my fall break, and my mom just showed me the most sophisticated phishing scheme I’ve ever seen. She got a letter purporting to be from her mortgage company, informing her of the theft of a computer containing her customer data and offering to sign her up for an (expensive) identity-theft protection system.

She thought it was a scam by her mortgage company to sign her up for an expensive service when they’d be liable for any misuse of her data. But I looked closer at the letter and realized it was a third-party scam to get her credit card information. The PO Box number on the paper form she was supposed to fill out and return didn’t match up; the letter was printed in black-and-white instead of color; the URL to which she was supposed to go if she preferred online registration wasn’t the same as the company’s.

But the things they did right were remarkable. The letterhead was a close copy of the real thing; the addresses were all in the same place (just different in a few digits); the language was free of the usual malapropisms and typoes that characterize most phishing attempts; they went to the trouble of laying out a complex sign-up form that could have passed for a genuine one. That they were using a snail-mail based attack at all was a perverse proof of their dedication: this is the kind of scam it takes professionals to finance and execute.

Now, the interesting twist on this whole story is that the letter’s basic pitch — that her information had been stolen from the company’s server — has to be true. After all, this was a mailing targeted at customers of the mortgage company.

If this is any indication, the future of phishing looks bleak indeed.

UPDATE: No, wait! Further inspection indicates that the mailing is probably genuine. In a sense, this is even worse—the company’s security practices are mighty sketchy. I’ll be doing some more investigation and then writing this incident up for Lawmeme.